Palo Alto – Monitoring GlobalProtect VPN User Logins

When monitoring GlobalProtect VPN user logins on a Palo Alto firewall, you can find the following details in the authentication logs:

  1. Login Time: Look for “auth-success” log entries. The timestamp of this entry shows when the user successfully authenticated and logged into the GlobalProtect VPN.
  2. Duration: Palo Alto does not explicitly log the duration of a GlobalProtect VPN session in the authentication logs. However, you can estimate the duration by looking at the difference between the “auth-success” (login) timestamp and the subsequent “auth-logout” (logout) timestamp for that user.
  3. Logout Time: Look for “auth-logout” log entries for that user. The timestamp of this entry shows when the user logged out or their GlobalProtect VPN session terminated.
( eventid eq auth-success ) and ( description contains '{AD_USER_ID}' )

Alternatively, you can check the auth.log file on the firewall, which contains these “auth-success” and “auth-logout” entries with timestamps for GlobalProtect VPN user activity.